Chin says Exchange's reliability is generally taken for granted. "However, what if all e-mail communications suddenly became compromised?" he says. "For most organizations, this scenario is simply unacceptable due to the sensitive information contained within today's e-mail conversations."

Ross Barrett, senior manager of security engineering at Rapid7, agrees. "If this is truly a remotely exploitable issue that does not require user interaction, then it's a potentially wormable issue and definitely should be put at the top of the patching priority list," Barrett says.Another critical alert, Bulletin 1, affects current versions of operating systems Windows 8 (and Windows RT) and Windows Server 2012, as well as earlier versions back through Windows XP and Windows Server 2003.

There are no details on what the exact vulnerabilities are but being ranked critical means they could allow code execution even if the user doesn't interact with the attack. Self-propagating malware and code execution without warnings or prompts are exploits that fit this category. Examples include browsing an infected Web page or opening a malicious email.

"To me, Bulletin 1 is most critical," says Ken Pickering, the director of engineering at CORE Security. "The last time I saw an IE Remote Code execution of this caliber, I saw live malware exploiting it not too long after. People are getting good at turning these IE vulnerabilities into web-based attacks."

Bulletin 1 affects Internet Explorer from Version 6 to Version 10 as deployed on all Windows client operating systems from Windows XP to Windows 8 including its ARM version, Windows RT. It also affects Windows Server 2003, 2008, 2008 RR2 and 2012.

Three out of eight bulletins this month are critical, possibly facilitating remote code execution on victim machines. The rest of the bulletins are ranked important, two allowing elevation of privileges by attackers, two threatening denial of service and one that could allow disclosure of information on the attacked machine.

Paul Henry, a security and forensics analyst at Lumension, notes that the bulleting count for this year so far is up seven over last year at this time, but this year so far there are 10 fewer critical ones.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.